In Kinde, you can use SAML as your authentication protocol. Kinde acts as a service provider (SP), so you still need to bring your own identity provider (IdP) to set it up. Identity providers can include Google, Microsoft Azure, Cloudflare, and others.

Note: Since there are differences between set ups for each IdP, we are unable to provide full details on how to configure them all to connect with Kinde. However, the fields we mention below, should have similar names in your IdP.

Unfortunately we don’t currently support the use of digital certificates (certs). We are progressively optimising and improving our authentication features, and hope to support this in the near future.

Users must already exist in Kinde for SAML sign in to work. Users must also have the same email domain as the home realm domains you define.

You can import users in bulk or add them manually to Kinde.

1. In Kinde, go to Settings > Authentication.
2. Scroll down to the Enterprise connections area and select Add connections.
3. In the window that opens, select the SAML option and then Save. The SAML tile now appears as a connection.
4. Select Configure on the SAML tile. The configuration dialog opens. The information you enter here, needs to match the information in your identity provider settings.

5. Enter a name for the connection.
6. Enter an Entity ID. This is a value you can make up using a random alphanumeric string, e.g. 5836g209gbhw09r8y0913. The Entity ID you enter here must be configured exactly the same in your identity provider (unless your IdP is Microsoft Azure).
7. If your identity provider is Microsoft Azure, add spn: to the beginning of the Entity ID string in Kinde, e.g. spn:5836g209gbhw09r8y0913.
8. Enter the IdP metadata URL. This URL comes from your identity provider.
9. Enter an Email key attribute. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved. We do not recommend leaving this field blank, but if you do we will set ‘email’ as the attribute.
10. Enter any relevant Home realm domains. This is how SAML recognizes a user’s credentials and routes them to the correct sign in page. Note that home realm domains need to be unique across all connections in an environment. Read more about home realm domains.
11. Copy the ACS URL, which is also known as a reply URL. This will need to be copied to the relevant area of your identity provider configuration.
12. Select whether you want to automatically Create a user record in Kinde for new users. This can save time adding them manually or via API later.
13. Choose which applications you want to enable SAML for and select Save.
14. Complete any additional configuration in your identity provider settings, such as adding the Entity ID and ACS URL.

Once you have entered the ACS URL in your identity provider, the connection should be enabled.

1. Go to your test application and attempt to sign in.
2. If you left the Home realm domains field blank in Kinde, when you launch your application, you should see a button to sign in. Click it and go to step 4.
3. If you completed the Home realm domains field, you should be redirected immediately to your IdP sign in screen.
4. Enter your IdP details and complete any additional authentication required.